VTech Working With H.K. Regulator After Kids Accounts Hacked

  • Company investigating intrusion that affected 5 million users
  • City's privacy commission may put out statement on Tuesday

VTech Holdings Ltd. is working with regulators in Hong Kong after a hacking attack at the maker of electronic toys and computer tablets compromised the privacy of millions of children and parents.

Attackers accessed servers containing names, e-mail addresses and passwords, according to the company. The hackers also obtained children’s photos and chat records, technology blog Motherboard reported. The Office of the Privacy Commissioner for Personal Data is in contact with the Hong Kong-based company for a “compliance check.”

While the hacking didn’t access credit card information, the independent statutory body runs checks to determine if websites do enough to safeguard user data. VTech’s legal department is handling those inquiries, though both sides are still in the early stages of communication, Corinna Chan, a spokeswoman for VTech, said by phone.

Although the perpetrators didn’t steal financial data, they could use the information to gain access to social media profiles or to target children online, said Bryce Boland, Asia chief technology officer for FireEye Inc.

Learning Lodge

“It may be that this data theft is only the tip of the iceberg,” Boland said in an e-mail. “Until there is a thorough forensic investigation, they won’t know if they can still be sucker-punched in cyberspace. The horse may have bolted, but that doesn’t mean the hacker didn’t move from the barn to the house.”

Hackers accessed 5 million customer accounts through VTech’s Learning Lodge database, where users download applications, learning games and e-books. The company, which gets about 90 percent of revenue from North America and Europe, suspended several websites and began an internal investigation. Authorities in Connecticut also plan to investigate the breach, Reuters reported.

The regulator said its probe will seek to determine if VTech took appropriate steps to safeguard information and what remedial steps it will adopt to prevent similar incidents in the future.

VTech hasn’t disclosed how many users in Hong Kong have been affected, the Office of the Privacy Commissioner said in an e-mailed statement. Penalties for non-compliance can include a fine of as much as HK$50,000 ($6,449) and imprisonment for two years.

“As the compliance check has just commenced, the PCPD cannot comment, at
this stage, on whether the ordinance had been breached,” the agency said.

Shares in VTech were little changed in Hong Kong, closing at HK$87.10 on Tuesday.

Chief Executive Officer Allan Wong, Chief Technology Officer Chu Chorn Yeong and four other senior VTech executives didn’t respond to e-mails seeking comment.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE